Crash using @tryGetById in DFG

https://bugs.webkit.org/show_bug.cgi?id=156992 Reviewed by Filip Pizlo. We need to spill live registers when compiling TryGetById in DFG. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileTryGetById): * tests/stress/regress-156992.js: New test. (tryMultipleGetByIds): (test): Canonical link: https://commits.webkit.org/175104@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200048 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Apr 25, 2016 · f009482 · f009482
1 parent 7c5c9ae
commit f009482
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 1 deletion.
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,18 @@
+2016-04-25  Michael Saboff  <msaboff@apple.com>
+
+        Crash using @tryGetById in DFG
+        https://bugs.webkit.org/show_bug.cgi?id=156992
+
+        Reviewed by Filip Pizlo.
+
+        We need to spill live registers when compiling TryGetById in DFG.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileTryGetById):
+        * tests/stress/regress-156992.js: New test.
+        (tryMultipleGetByIds):
+        (test):
+
 2016-04-25  Saam barati  <sbarati@apple.com>
 
         We don't have to parse a function's parameters every time if the function is in the source provider cache

diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -976,7 +976,7 @@ void SpeculativeJIT::compileTryGetById(Node* node)
 
         base.use();
 
-        cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), JITCompiler::Jump(), DontSpill, AccessType::GetPure);
+        cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), JITCompiler::Jump(), NeedToSpill, AccessType::GetPure);
 
         jsValueResult(resultRegs, node, DataFormatJS, UseChildrenCalledExplicitly);
         break;

diff --git a/Source/JavaScriptCore/tests/stress/regress-156992.js b/Source/JavaScriptCore/tests/stress/regress-156992.js
@@ -0,0 +1,33 @@
+// Verify that DFG TryGetById nodes properly save live registers.  This test should not crash.
+
+function tryMultipleGetByIds() { return '(function (base) { return @tryGetById(base, "value1") + @tryGetById(base, "value2") + @tryGetById(base, "value3"); })'; } 
+
+
+let get = createBuiltin(tryMultipleGetByIds());
+noInline(get);
+
+function test() {
+    let obj1 = {
+        value1: "Testing, ",
+        value2: "testing, ",
+        value3: "123",
+        expected: "Testing, testing, 123"
+    };
+    let obj2 = {
+        extraFieldToMakeThisObjectDifferentThanObj1: 42,
+        value1: 20,
+        value2: 10,
+        value3: 12,
+        expected: 42
+    };
+
+    let objects = [obj1, obj2];
+
+    for (let i = 0; i < 200000; i++) {
+        let obj = objects[i % 2];
+        if (get(obj) !== obj.expected)
+            throw new Error("wrong on iteration: " + i);
+    }
+}
+
+test();